Posted
by
samzenpus
on Monday June 02, 2014 @11:50AM
from the shutting-it-down dept.

tsu doh nimh (609154) writes "The U.S. Justice Department announced today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and that the botnet is responsible for more than $100 million in losses from online banking account takeovers. The government alleges that Gameover also was rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes. In a complaint unsealed today, the DOJ further alleges that ZeuS and Gameover are the brainchild of a Russian man named Evgeniy Mikhailovich Bogachev, a.k.a. 'Slavik.'"

That sounds poetic and I understand it is a general (likely warranted) shot at windows but it's not really applicable. Cleaning an infected machine results in one less infected machine. The act of cleaning does not generate 2 more infected machines and in fact shrinks the botnet by some, albeit small degree. There is never a situation where cleaning a Windows machine is a bad option - which keeps a significant number of us employed/harassed by friends/relatives.

I was under the impression the NSA hired these people to make the botnets to harvest data. Once the NSA is done using it or are near exposure they dump everything on the person they hired and place the blame there.

Just have to put this out there, but now that the government has taken control, how much do you want to bet the NSA will use this opportunity to spy? Even if they do not use Zeus long term, they could use it to install their own software on millions of PCs that are already infected.

Here's what I don't get about that. The way the article shows the structure of the Gameover botnet, it looks like the C&C servers are hard-coded in. The person who coded the botnet control program would have no reason to give away his source code. If they've already seized the C&C servers, and the only person who can change the code has been arrested, how could new C&C servers pop up so quickly, unless Gameover Zeus has already been forked?

Presumably there's some concept of a CA / revocation list where infected nodes can find messages in a public channel or forum of some kind that tell where to reach the new C&C servers. I'm struggling with this as well, but it seems reasonable to assume from the quoted text that those machines are checking in regularly with the C&C servers, which the authorities now control, and they are checking in less frequently (every 2 weeks) with some other channel that is not controlled by the authorities, wh